Cybersecurity is no longer just a technical challenge – it's a leadership one

The World Economic Forum’s Global Cybersecurity Outlook 2024 notes that 91% of business leaders believe a catastrophic cyber event is at least somewhat likely in the next two years. In 2023 alone, the global average cost of a single data breach reached $4.45 million, a 15% increase over the past three years. Beyond financial damage, recent cyberattacks have disrupted hospitals, paralyzed local governments, disrupted business systems and threatened national infrastructure. These developments underscore a simple reality: Cybersecurity is no longer just a technical issue for IT teams – it is a strategic imperative for leaders.

The implications extend well beyond financial losses. Cyberthreats can destabilize societies, erode trust in institutions and even threaten national security. Cybersecurity today is as much about leadership, governance and resilience as it is about technology. Protecting systems is only part of the task; leaders must also manage polarization as a result of cyberattacks that are eroding public trust, uphold ethics and safeguard society.

A striking illustration came during the spring of 2022, when a wave of coordinated denial-of-service (DDoS) attacks targeted Romanian government websites, military portals, bank platforms and media outlets. These attacks were traced to Killnet, a pro‑Kremlin hacktivist group, and followed public remarks by Romania’s Senate President about supplying military aid to Ukraine. The cyber sabotage was interpreted widely as retaliation for Romania's support of Ukraine in its conflict with Russia.

More recently, pro-Russian hacker groups have targeted Ukrainian and European infrastructure not just to cause disruption but also to amplify disinformation and weaken political cohesion. These examples are happening all over the world and highlight that cyberattacks can serve as accelerants of societal fragmentation, with ripple effects far beyond the digital realm.

When these types of crises occur in the private and public sectors (whether during an election, a corporate breach, or a geopolitical conflict), leaders are expected to provide clarity and reassurance, while simultaneously ensuring swift solutions to the security breach. Their words shape confidence. Yet too often, leaders remain vague or silent on cyber issues, hindered by a lack of technical understanding and the definitional ambiguity of the field.

Many C-suite executives and policy-makers even retreat from formulating strategies when overwhelmed by cybersecurity jargon, increasing their vulnerability to attack. In one hospital, for example, a board dismissed the need for a cyber resilience plan until after a major breach occurred, simply because members felt intimidated by technical complexity. Additionally, a multibillion-dollar company collapsed practically overnight after a cyberattack because the CEO wasn’t prepared to address the topic, losing confidence with their consumers as a result. Such blind spots unfortunately leave organizations reactive rather than proactive.

Cyber literacy must therefore become a baseline leadership competency. Just as financial literacy became a requirement for corporate boards after the Enron scandal, cyber literacy is fast becoming a necessity for 21st-century leadership. Normalizing cybersecurity as a shared responsibility across governments, businesses and society means enabling leaders to ask the right questions, hold experts accountable and communicate clearly with stakeholders. Cybersecurity is no longer a specialist’s concern; it is a core dimension of leadership in the digital age.

Two challenges stand in the way: definitional ambiguity and a global trust deficit.

Research shows no universally accepted definition of cybersecurity, creating confusion across policy and practice (Neil et al., 2023). Regulators often fall back on vague requirements for “reasonable cybersecurity” without clarifying what that entails (Brookings, 2024). A pragmatic way forward is to establish working definitions accessible for non-experts (grounded in principles like confidentiality, integrity and availability), while embedding ethical considerations such as privacy, transparency and fairness.

Organizations, such as the NIST and the ISO, are already publishing simplified frameworks for non-technical audiences. Companies can build on these by developing “cyber playbooks” for executives and boards that translate risks into business language. The EU Cyber Resilience Act (2023) reinforces this shift by mandating ethical and resilient practices, ensuring that cybersecurity strategies are not only protective but also principled.

Trust in leadership is at historic lows. The Edelman Trust Barometer (2024) found that fewer than half of respondents trust leaders to tell the truth. Without trust, even technically sound cyber strategies fail to reassure employees, citizens or markets. Leaders must therefore build credibility by demonstrating cyber literacy – not by becoming tech engineers, but by asking informed questions, overseeing risk management, and communicating effectively about threats and responses.

Practical steps that can help are emerging. Many companies run executive cyber simulations, or invest in cybersecurity immersion learning journeys at the executive team level and rehearse responses to cyberattacks. These exercises expose leaders to both technical and reputational stakes, preparing them to lead under pressure. Short capacity-building programmes also give executives the confidence to discuss cybersecurity without deferring entirely to technical teams.

Cybersecurity is no longer the sole domain of firewalls and encryption. It is a question of trust, governance and leadership. As digital transformation accelerates, leaders must bridge the twin gaps of definition and trust that leave societies vulnerable.